Google’s Project Zero unveils fixed iMessage vulnerability

Google’s Project Zero, a team of security analysts employed by the search giant, has unveiled a flaw with Apple’s iMessage platform that caused crashes on both macOS and iOS.

Loading...

Project Zero often uncovers security vulnerabilities from other companies and gives them 90 days to fix them before revealing the vulnerability to the public, which is standard for security issues. In the case of the iMessage vulnerability, Project Zero first discovered and revealed the flaw to Apple in April.

The vulnerability involved sending a “malformed message” containing a text key which caused an exception. In macOS, that exception would cause ‘soagent’ to crash and restart.

On iOS, the flaw was more severe, as the exception would affect Springboard, which powers the device’s home screen. The message would cause Springboard to crash and constantly restart, making the iPhone unusable.

To make matters worse, the behaviour would persist through a full reboot, essentially bricking the device.

According to the Project Zero issue tracker page for the flaw, the only way to fix an iPhone that received one of these messages would be to wipe it, put it in recovery mode and update it through iTunes or remove the SIM card and move out of Wi-Fi range, then wipe phone from the Settings menu.

Thankfully, Apple fixed this flaw in May with the release of iOS 12.3, so as long as your iPhone is up to date, you shouldn’t have to worry about the issue.

This isn’t the first time Project Zero has found a flaw in an Apple OS. Back in March, Google disclosed a severe vulnerability in the macOS kernel before Apple released a patch.